cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
435
Views
0
Helpful
3
Replies

Minimizing Down-time Cut-in of Zone Based Policy Firewall

mmedwid
Level 3
Level 3

A client has an existing router to which I need to add ZBF. The design guide below talks about the overall configuration of ZBF. But because this router is so actively used - I can't rough it in. Need to get the downtime down to about a minute.

So - to minimize outage would the order be:

1) Add classmaps,

2) Add policy maps

3) Add zones.

4) Add zone-pairs.

5) Assign interfaces to zones. ??

To "deactivate ZBF" if it doesn't go well...is the fastest way to remove all interfaces from zone membership?

Thanks.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

1 Accepted Solution

Accepted Solutions

Hi Michael,

Your plan looks good to me. If possible, I would recommend both writing and testing the configuration on a non-production router first. This way, you can work out any quirks in your config and make sure everything works as expected. Once this is done, you can copy the configuration into a text editor and simply paste it into the production router during a brief maintenance window.

Also, you are correct in that the fastest way to "deactivate" ZBFW is to simply remove the interfaces' zone membership.

Hope that helps.

-Mike

View solution in original post

3 Replies 3

Hi Michael,

Your plan looks good to me. If possible, I would recommend both writing and testing the configuration on a non-production router first. This way, you can work out any quirks in your config and make sure everything works as expected. Once this is done, you can copy the configuration into a text editor and simply paste it into the production router during a brief maintenance window.

Also, you are correct in that the fastest way to "deactivate" ZBFW is to simply remove the interfaces' zone membership.

Hope that helps.

-Mike

Mike,

If you remove the interfaces' zone membership, doesn't IOS firewall default to not passing any traffic?

no it doesn't..when you remove zonemembership from interfaces then ZBF is no longer effective for those interfaces, which means any policies applied to ZBF also becomes void for that interface

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: